<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Home on Prepakis Georgios | Kernelstub | Security Researcher</title><link>https://blog.kernelstub.dev/</link><description>Recent content in Home on Prepakis Georgios | Kernelstub | Security Researcher</description><generator>Hugo</generator><language>en-US</language><lastBuildDate>Mon, 16 Feb 2026 00:00:00 +0000</lastBuildDate><atom:link href="https://blog.kernelstub.dev/index.xml" rel="self" type="application/rss+xml"/><item><title>A Full Infrastructure Takeover on GSIS.GR</title><link>https://blog.kernelstub.dev/posts/a-full-infrastructure-takeover-on-gsis.gr/</link><pubDate>Mon, 16 Feb 2026 00:00:00 +0000</pubDate><guid>https://blog.kernelstub.dev/posts/a-full-infrastructure-takeover-on-gsis.gr/</guid><description>&lt;p&gt;&lt;strong&gt;Table of Contents&lt;/strong&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="#phase-1-massive-reconnaissance-with-skuntscan"&gt;Phase 1: Massive Reconnaissance with SkuntScan&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#phase-2-the-exposed-configuration-that-broke-everything"&gt;Phase 2: The Exposed Configuration That Broke Everything&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#phase-3-ftp-and-the-forgotten-server"&gt;Phase 3: FTP and the Forgotten Server&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#phase-4-oracle-webcenter-leaks-and-ldap-access"&gt;Phase 4: Oracle webCenter Leaks and LDAP Access&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#phase-5-hardcoded-jwt-private-key"&gt;Phase 5: Hardcoded JWT Private Key&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#phase-6-server-status-as-a-network-mapping-tool"&gt;Phase 6: Server-Statme as a Network Mapping Tool&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#phase-7-iis-short-names-and-aspnet-backend"&gt;Phase 7: IIS Short Names and ASP.NET Backend&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#phase-8-domibus-424--finding-the-zero-day"&gt;Phase 8: Domibme 4.2.4 – Finding the Zero-Day&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#phase-9-from-xxe-to-ssh-on-borisgsisgr"&gt;Phase 9: From XXE to SSH on boris.gsis.gr&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#phase-10-axis2-admin-service--deploying-a-backdoor"&gt;Phase 10: Axis2 Admin Service – Deploying a Backdoor&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#phase-11-privilege-escalation-to-root"&gt;Phase 11: Privilege Escalation to Root&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#phase-12-internal-network-pivot--the-1019318024-discovery"&gt;Phase 12: Internal Network Pivot – The 10.193.18.0/24 Discovery&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#phase-13-staging-authentix-auth-and-the-database-goldmine"&gt;Phase 13: STAGING-AUTHENTIX-AUTH and the Database Goldmine&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#phase-14-switches-firewalls-and-control-surfaces"&gt;Phase 14: Switches, Firewalls, and Control Surfaces&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="#phase-15-15-million-citizens--what-i-found"&gt;Phase 15: 15 Million Citizens – What I Found&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="phase-1-massive-reconnaissance-with-skuntscan"&gt;Phase 1: Massive Reconnaissance with SkuntScan&lt;/h2&gt;
&lt;p&gt;Every engagement starts with comprehensive reconnaissance. SkuntScan, our in‑house tool, combines passive enumeration with intelligent fingerprinting. It scrapes certificate transparency logs, DNS records, web archives, and then correlates everything with IP space to build a complete map of the target.&lt;/p&gt;</description></item><item><title>Reverse Engineering a 2012 Toyota Yaris: From OBD-II to Exploit Chain</title><link>https://blog.kernelstub.dev/posts/reverse-engineering-a-2012-toyota-yaris-from-obd-ii-to-exploit-chain/</link><pubDate>Fri, 06 Feb 2026 00:00:00 +0000</pubDate><guid>https://blog.kernelstub.dev/posts/reverse-engineering-a-2012-toyota-yaris-from-obd-ii-to-exploit-chain/</guid><description>&lt;h2 id="chapter-1-introduction-and-laboratory-setup"&gt;Chapter 1: Introduction and Laboratory Setup&lt;/h2&gt;
&lt;p&gt;I picked a 2012 Toyota Yaris for this project mostly because of what it isn&amp;rsquo;t: it&amp;rsquo;s not a flagship, it&amp;rsquo;s not loaded with the kind of aftermarket telematics and OTA update infrastructure that makes modern vehicles a moving target for remote attacks, and it&amp;rsquo;s cheap enough on the used market that I could buy one, break it, and not lose sleep over it. That&amp;rsquo;s actually the point. Cars like this one make up a huge chunk of the vehicles still on the road today, and the electronics inside them were designed in an era when &amp;ldquo;attack surface&amp;rdquo; mostly meant &amp;ldquo;whoever plugs a scan tool into the OBD-II port at a dealership.&amp;rdquo; Nobody was thinking about buffer overflows delivered over a CAN frame. That assumption, it turns out, ages badly, and this post walks through exactly how badly.&lt;/p&gt;</description></item><item><title>How I Built an Off-Grid Meshtastic LoRa Radio</title><link>https://blog.kernelstub.dev/posts/how-i-built-an-off-grid-meshtastic-lora-radio/</link><pubDate>Sun, 18 Jan 2026 00:00:00 +0000</pubDate><guid>https://blog.kernelstub.dev/posts/how-i-built-an-off-grid-meshtastic-lora-radio/</guid><description>&lt;p&gt;I wanted a way to send text messages across kilometers of terrain without a cell tower, without Wi-Fi, and without paying anyone a monthly fee for the privilege. That&amp;rsquo;s basically the pitch for Meshtastic: cheap LoRa radios that form a self-healing mesh network and pass short messages, GPS positions, and telemetry from node to node. Pair that with solar power and you get something that can sit on a hilltop indefinitely, which is exactly what I set out to build. This post walks through the whole thing: the hardware, the firmware, the antenna theory I had to relearn the hard way, and what I&amp;rsquo;d change next time.&lt;/p&gt;</description></item><item><title>Comparing tfsec and Checkov for Hardening Infrastracture</title><link>https://blog.kernelstub.dev/posts/comparing-tfsec-and-checkov-for-hardening-infrastracture/</link><pubDate>Wed, 12 Nov 2025 00:00:00 +0000</pubDate><guid>https://blog.kernelstub.dev/posts/comparing-tfsec-and-checkov-for-hardening-infrastracture/</guid><description>&lt;h2 id="why-iac-hardening-matters"&gt;Why IaC Hardening Matters&lt;/h2&gt;
&lt;p&gt;Here&amp;rsquo;s the thing about infrastructure as code that makes it both wonderful and terrifying: once you write a mistake into a Terraform module, that mistake doesn&amp;rsquo;t stay put. It gets copied. A junior engineer finds your &lt;code&gt;s3-bucket&lt;/code&gt; module in the internal registry, sees it&amp;rsquo;s already &amp;ldquo;battle tested,&amp;rdquo; and reuses it in three more projects without reading past the variable names. If that module happened to leave logging disabled or granted a role &lt;code&gt;&amp;quot;*&amp;quot;&lt;/code&gt; on &lt;code&gt;&amp;quot;*&amp;quot;&lt;/code&gt;, you haven&amp;rsquo;t made one mistake, you&amp;rsquo;ve made a template for making that mistake forever.&lt;/p&gt;</description></item><item><title>Decoding Auto Negotiation and Duplex Mismatch at the PHY Layer</title><link>https://blog.kernelstub.dev/posts/decoding-auto-negotiation-and-duplex-mismatch-at-the-phy-layer/</link><pubDate>Fri, 07 Nov 2025 00:00:00 +0000</pubDate><guid>https://blog.kernelstub.dev/posts/decoding-auto-negotiation-and-duplex-mismatch-at-the-phy-layer/</guid><description>&lt;h2 id="understanding-the-physical-layer-phy"&gt;Understanding the Physical Layer (PHY)&lt;/h2&gt;
&lt;p&gt;If you&amp;rsquo;ve ever chased down a &amp;ldquo;the network is slow but only sometimes and only in one direction&amp;rdquo; ticket, there&amp;rsquo;s a good chance the real culprit was sitting quietly at Layer 1, way below anything a &lt;code&gt;ping&lt;/code&gt; or &lt;code&gt;traceroute&lt;/code&gt; will show you. That&amp;rsquo;s the world of the PHY chip, the piece of silicon on every Ethernet interface that actually puts bits onto the wire and pulls them back off again.&lt;/p&gt;</description></item><item><title>From Bits to Breaks A Low Level System Exploitation and Defense</title><link>https://blog.kernelstub.dev/posts/from-bits-to-breaks-a-low-level-system-exploitation-and-defense/</link><pubDate>Sat, 25 Oct 2025 00:00:00 +0000</pubDate><guid>https://blog.kernelstub.dev/posts/from-bits-to-breaks-a-low-level-system-exploitation-and-defense/</guid><description>&lt;h2 id="introduction-and-scope"&gt;Introduction and Scope&lt;/h2&gt;
&lt;p&gt;Here&amp;rsquo;s the core question driving this whole project: how do software and hardware actually interact once you strip away the abstraction layers that normally hide the messy details from you? Compilers, operating systems, and runtimes exist precisely so you can forget about page tables, cache lines, and instruction pipelines while you get work done. Attackers, and the researchers trying to stay ahead of them, don&amp;rsquo;t get that luxury. Every exploit involving memory corruption, firmware, or a leaky microarchitectural feature lives exactly at that seam between the code you wrote and the silicon actually running it. This research examines that seam systematically, aiming to produce techniques reproducible enough to be useful, rigorous enough to be academically sound, and constrained enough to stay ethically defensible.&lt;/p&gt;</description></item><item><title>Advanced Linux Kernel Exploitation Techniques</title><link>https://blog.kernelstub.dev/posts/advanced-linux-kernel-exploitation-techniques/</link><pubDate>Thu, 27 Mar 2025 00:00:00 +0000</pubDate><guid>https://blog.kernelstub.dev/posts/advanced-linux-kernel-exploitation-techniques/</guid><description>&lt;h2 id="introduction-to-linux-kernel-exploitation"&gt;Introduction to Linux Kernel Exploitation&lt;/h2&gt;
&lt;p&gt;Kernel exploitation sits at the top of the difficulty curve in offensive security, and for good reason. Userspace bugs get you code execution as some unprivileged process, but the kernel runs at Ring 0 (or EL1, if you&amp;rsquo;re on ARM) with unrestricted access to physical memory, every process&amp;rsquo;s address space, and every privilege check on the system. Pop a bug in the kernel and you&amp;rsquo;re not just compromising an application, you&amp;rsquo;re compromising the thing that enforces the rules for every application on the box. That&amp;rsquo;s why a single kernel LPE (local privilege escalation) bug is often worth more on the exploit market than a browser RCE: it&amp;rsquo;s the last mile between &amp;ldquo;I have a foothold&amp;rdquo; and &amp;ldquo;I own the machine.&amp;rdquo;&lt;/p&gt;</description></item><item><title>Advanced Windows Kernel Debugging Techniques</title><link>https://blog.kernelstub.dev/posts/advanced-windows-kernel-debugging-techniques/</link><pubDate>Mon, 10 Mar 2025 00:00:00 +0000</pubDate><guid>https://blog.kernelstub.dev/posts/advanced-windows-kernel-debugging-techniques/</guid><description>&lt;p&gt;Kernel debugging is a different animal from the user-mode debugging most developers grow up with. You can&amp;rsquo;t just attach a debugger to a live kernel the way you&amp;rsquo;d attach to a misbehaving process, because the kernel is the thing that&amp;rsquo;s supposed to be managing every process on the box, including the debugger&amp;rsquo;s own. If it halts, everything halts. So Windows solves this the old-fashioned way: two machines. One is the &amp;ldquo;target,&amp;rdquo; the system whose kernel you actually want to inspect. The other is the &amp;ldquo;host,&amp;rdquo; running WinDbg, connected over a transport that survives the target being frozen mid-instruction: a network link, a serial cable, or USB. When you set a breakpoint and it hits, the &lt;em&gt;entire target machine&lt;/em&gt; stops, not just one process, and control passes to your host over that wire. That&amp;rsquo;s the mental model to keep in the back of your head for everything that follows: you&amp;rsquo;re not debugging a program, you&amp;rsquo;re debugging an operating system from the outside, one machine talking to another.&lt;/p&gt;</description></item><item><title>Advanced Cryptography Concepts via Classical to Post-Quantum</title><link>https://blog.kernelstub.dev/posts/advanced-cryptography-concepts-via-classical-to-post-quantum/</link><pubDate>Tue, 14 Jan 2025 00:00:00 +0000</pubDate><guid>https://blog.kernelstub.dev/posts/advanced-cryptography-concepts-via-classical-to-post-quantum/</guid><description>&lt;p&gt;Cryptography has a strange history for a field that&amp;rsquo;s now load-bearing for the entire internet. A lot of the number theory underneath it was developed by mathematicians who were doing pure math for its own sake, with zero interest in secrets or spies. Then, starting in the 1970s, people realized that certain &amp;ldquo;hard&amp;rdquo; problems in number theory (the kind that are easy to state but brutal to solve at scale) were exactly what you needed to build systems where two strangers could agree on a secret over a public channel, or where you could prove your identity without ever handing over a password. This post is a walk through that stack, from the classical number-theoretic foundations, through the protocols built on top of them, and finally into the post-quantum schemes that exist because a sufficiently large quantum computer would tear a hole through most of what came before.&lt;/p&gt;</description></item><item><title>Introduction to Quantum Computing</title><link>https://blog.kernelstub.dev/posts/introduction-to-quantum-computing/</link><pubDate>Tue, 14 Jan 2025 00:00:00 +0000</pubDate><guid>https://blog.kernelstub.dev/posts/introduction-to-quantum-computing/</guid><description>&lt;p&gt;Quantum computing gets talked about like it&amp;rsquo;s some kind of magic trick: a machine that tries every answer at once and just knows the right one. That&amp;rsquo;s a fun story, but it&amp;rsquo;s not really what&amp;rsquo;s happening, and understanding &lt;em&gt;why&lt;/em&gt; it&amp;rsquo;s not what&amp;rsquo;s happening is the fastest way to actually get quantum computing instead of just repeating buzzwords about it. So let&amp;rsquo;s slow down and build this up from the physics, piece by piece, and see how it turns into something you can actually run algorithms on.&lt;/p&gt;</description></item><item><title>Domain Generation Algorithms and Automatic Domain Registration in C2</title><link>https://blog.kernelstub.dev/posts/domain-generation-algorithms-and-automatic-domain-registration-in-c2/</link><pubDate>Fri, 04 Oct 2024 00:00:00 +0000</pubDate><guid>https://blog.kernelstub.dev/posts/domain-generation-algorithms-and-automatic-domain-registration-in-c2/</guid><description>&lt;h2 id="what-is-a-domain-generation-algorithm-dga"&gt;What Is a Domain Generation Algorithm (DGA)?&lt;/h2&gt;
&lt;p&gt;If you&amp;rsquo;re running a botnet, you have a problem: your infected hosts need a way to phone home, but the moment defenders find your command and control (C2) domain, they blocklist it, sinkhole it, or hand it to a takedown request, and your whole fleet goes dark at once. A single hardcoded IP or domain baked into your malware is a single point of failure, and it&amp;rsquo;s the first thing an incident responder goes looking for when they pull apart a sample in a sandbox.&lt;/p&gt;</description></item><item><title>Custom Linux Kernel Hooks with eBPF</title><link>https://blog.kernelstub.dev/posts/custom-linux-kernel-hooks-with-ebpf/</link><pubDate>Wed, 02 Oct 2024 00:00:00 +0000</pubDate><guid>https://blog.kernelstub.dev/posts/custom-linux-kernel-hooks-with-ebpf/</guid><description>&lt;h2 id="understanding-ebpf"&gt;Understanding eBPF&lt;/h2&gt;
&lt;h3 id="what-is-ebpf"&gt;What is eBPF?&lt;/h3&gt;
&lt;p&gt;If you&amp;rsquo;ve ever wanted to peek inside a running Linux kernel without recompiling it, patching it, or crossing your fingers and loading a sketchy out-of-tree module, eBPF is probably the tool you were looking for. The name is short for &amp;ldquo;extended Berkeley Packet Filter,&amp;rdquo; which is a bit of a historical accident: the original BPF, from the late 1980s, was a tiny virtual machine built to do one job, deciding whether a network packet matched a filter (think &lt;code&gt;tcpdump&lt;/code&gt;). It was small, fast, and deliberately dumb, which made it safe to run inside the kernel.&lt;/p&gt;</description></item><item><title>Introduction to ARM Architecture</title><link>https://blog.kernelstub.dev/posts/introduction-to-arm-architecture/</link><pubDate>Sat, 21 Sep 2024 00:00:00 +0000</pubDate><guid>https://blog.kernelstub.dev/posts/introduction-to-arm-architecture/</guid><description>&lt;p&gt;If you&amp;rsquo;ve spent any time around x86 assembly and then gone to look at ARM, the first thing you probably noticed is how much cleaner it feels. That&amp;rsquo;s not an accident. ARM was designed from day one around a philosophy called RISC (Reduced Instruction Set Computer), which trades a huge, irregular menu of complex instructions for a small set of simple, fast, predictable ones. Instead of one instruction doing five things at once (the CISC way, which is how x86 grew up), ARM prefers to do those five things as five simple instructions, each of which the CPU can execute in a single, predictable cycle. This sounds like it should be slower, and instruction-for-instruction it sometimes is, but it makes the hardware simpler, cheaper to build, and dramatically more power efficient, which is exactly why ARM ended up running basically every phone, tablet, and now a growing share of laptops and servers on the planet.&lt;/p&gt;</description></item><item><title>Introduction to x64 ASM</title><link>https://blog.kernelstub.dev/posts/introduction-to-x64-asm/</link><pubDate>Sat, 21 Sep 2024 00:00:00 +0000</pubDate><guid>https://blog.kernelstub.dev/posts/introduction-to-x64-asm/</guid><description>&lt;h2 id="1-introduction-to-assembly-and-x64-architecture"&gt;1. Introduction to Assembly and x64 Architecture&lt;/h2&gt;
&lt;h3 id="what-is-assembly-language"&gt;What is Assembly Language?&lt;/h3&gt;
&lt;p&gt;Every program you&amp;rsquo;ve ever run, whether it&amp;rsquo;s a shell script, a Python interpreter, or a AAA game engine, eventually gets reduced to a stream of raw binary instructions that a CPU can execute directly. Assembly language is the thin, human-readable layer sitting right on top of that binary stream. Each assembly instruction maps almost one-to-one to a single machine instruction, so when you write &lt;code&gt;mov rax, rbx&lt;/code&gt;, you&amp;rsquo;re really just writing a mnemonic for a specific sequence of bits that tells the processor &amp;ldquo;copy the contents of one register into another.&amp;rdquo; There&amp;rsquo;s no compiler doing clever things behind your back, no garbage collector, no runtime. What you write is (almost) exactly what runs.&lt;/p&gt;</description></item><item><title>Introduction to Windows Syscalls</title><link>https://blog.kernelstub.dev/posts/introduction-to-windows-syscalls/</link><pubDate>Tue, 17 Sep 2024 00:00:00 +0000</pubDate><guid>https://blog.kernelstub.dev/posts/introduction-to-windows-syscalls/</guid><description>&lt;h2 id="what-are-system-calls-really"&gt;What Are System Calls, Really?&lt;/h2&gt;
&lt;p&gt;Every time your program does something that touches the outside world, opening a file, allocating memory, talking to the network, waiting on another thread, it&amp;rsquo;s asking the operating system to do that work on its behalf. Your program doesn&amp;rsquo;t get to poke the disk controller or the network card directly. It can&amp;rsquo;t, by design. The CPU itself enforces this separation through privilege rings: user-mode code (ring 3 on x86/x64) runs with a restricted set of permissions, while the kernel (ring 0) runs with full access to hardware and memory. A system call is the formal, controlled doorway between those two worlds.&lt;/p&gt;</description></item><item><title>Linux Syscalls Table (x86-64)</title><link>https://blog.kernelstub.dev/posts/linux-syscalls-table-x86-64/</link><pubDate>Fri, 13 Sep 2024 00:00:00 +0000</pubDate><guid>https://blog.kernelstub.dev/posts/linux-syscalls-table-x86-64/</guid><description>&lt;h2 id="overview"&gt;Overview&lt;/h2&gt;
&lt;p&gt;Every time a program on Linux does something that touches the outside world, reading a file, allocating memory, sending a packet, spawning another process, it eventually has to ask the kernel to do it. User space code can&amp;rsquo;t just reach into the kernel&amp;rsquo;s data structures and start editing process tables or filesystem metadata; that would be a security and stability nightmare. Instead, it has to go through a narrow, well-defined door: the system call interface. This post is a reference table for that door on x86-64 Linux, listing every syscall number, its libc-facing name, its man page, and the kernel function that actually handles it once your program&amp;rsquo;s request lands.&lt;/p&gt;</description></item><item><title>Advanced C Programming Best Practices</title><link>https://blog.kernelstub.dev/posts/advanced-c-programming-best-practices/</link><pubDate>Mon, 29 Jul 2024 00:00:00 +0000</pubDate><guid>https://blog.kernelstub.dev/posts/advanced-c-programming-best-practices/</guid><description>&lt;p&gt;C gives you almost nothing for free. There&amp;rsquo;s no garbage collector cleaning up after you, no runtime checking your array bounds, no exception handler catching your mistakes before they corrupt memory. That&amp;rsquo;s exactly why C is still the language of choice for operating systems, embedded firmware, and anything that needs to talk directly to hardware, and it&amp;rsquo;s also exactly why C code has such a long, embarrassing history of security vulnerabilities. The language trusts you completely. Most of &amp;ldquo;best practices in C&amp;rdquo; really boils down to one idea: build habits and guardrails that compensate for the safety net the language refuses to provide.&lt;/p&gt;</description></item><item><title>Hooking `getdents64` to Hide Directories in Linux</title><link>https://blog.kernelstub.dev/posts/hooking-getdents64-to-hide-directories-in-linux/</link><pubDate>Wed, 05 Jun 2024 00:00:00 +0000</pubDate><guid>https://blog.kernelstub.dev/posts/hooking-getdents64-to-hide-directories-in-linux/</guid><description>&lt;h2 id="why-directory-hiding-even-works"&gt;Why Directory Hiding Even Works&lt;/h2&gt;
&lt;p&gt;Every time you run &lt;code&gt;ls&lt;/code&gt; in a terminal, or a graphical file manager draws a folder icon, something has to ask the kernel &amp;ldquo;what&amp;rsquo;s in this directory?&amp;rdquo; On Linux that question gets answered by the &lt;code&gt;getdents64&lt;/code&gt; syscall (the modern replacement for the older &lt;code&gt;getdents&lt;/code&gt;). The C library wraps it up neatly, but underneath, every single directory listing you have ever seen on a Linux box came from a userspace program calling into the kernel and getting back a buffer full of &lt;code&gt;linux_dirent64&lt;/code&gt; structures, one per file or subdirectory.&lt;/p&gt;</description></item></channel></rss>